The app is the key toenabling Positive Securityfor your API

Approov enables software attestation for mobile apps. It allows your apps to uniquely identify
themselves as the genuine, untampered software images you originally published. In exchange for this proof the app is
granted a token which can then be presented to your API with each request. Your server side implementation can then
differentiate between requests from known apps, which will contain a valid token, and requests from unknown sources, which will not.

The Approov API Protection Solution

Approov is comprised of three components which are integrated with your app and the servers providing
the API.

A Client SDK that is built into your iOS or Android app which handles all of the work necessary to attest the
app and fetch a token.

A Cloud based attestation service which issues tokens to apps containing the Client SDK and successfully attest.

A few lines of code which you add to your API implementation to validate the Approov token sent with requests
from the app.

Each component is straightforward to integrate into your software architecture and development
flow. Once deployed, the Client SDK in your app can be called whenever the app makes an API request that should be
protected. The client SDK typically has a valid token cached and will return it immediately, resulting in zero overhead for
the majority of API accesses.

No Token Stealing

To mitigate theft, tokens have a very limited lifetime and the Approov SDK manages the token
fetching and caching for you. This minimizes the complexity and latency when adding Approov to your app.

No Replay Attacks

When the SDK requires a new token it begins the attestation process by requesting a random value
(nonce) from the Approov Cloud Service which is used to seed the signature hash of the app. Running heavily obfuscated
and defended code, the integrity of the Approov SDK itself is measured along with the rest of the app content. The
combined cryptographic hash is sensitive to any change in the app or the code used to measure it. Since the hash is
seeded with the nonce value it will always be unique and cannot be replayed by an attacker.

Server-side Token Validation

This resulting app signature is sent to the Approov Cloud Service as part of a token request
along with other information about the app and the device it is running on. The cloud service then always responds with a
signed JSON Web Token (JWT).

No Modified Apps

Since the Approov Cloud Service knows the contents of a registered good app it is able to perform the
same calculation as the Approov SDK. If the app signature reported by the app is consistent with a registered app and
all security checks pass, then the issued JWT will be signed with a secret associated with your account. Otherwise the
JWT is not signed correctly. Since the app itself does not know the secret it does not know whether it passed or failed
the integrity check, making it extremely difficult to reverse engineer the protocol.

The token is returned to your app whenever one of the fetchApproovToken calls is made to the SDK.
Your app should then add the JWT base64 encoded string to the headers of any request to the API. Your API implementation can then check
the validity of the token using one of the standard JWT libraries available for almost all platforms and the secret
provided when you signed up to the Approov service.

App Integration

Adding Approov API protection to your iOS or Android app is a straightforward process and can be
easily integrated into most development flows.

Once you have set up your Approov Cloud Service account, you will be able to download a copy of
the Approov SDK. The SDK handles all of the interactions
with the Approov Cloud Service required to establish the authenticity of your app once it has been deployed.

Once the SDK is built into your app, tokens can be fetched using one of the tokenFetch calls available
on the simple API provided by the SDK. A token can then be inserted into any suitable HTTP header field for each API
request dependent via whichever framework you are using to communicate with your API.

Once the SDK has been hooked into your app you must register it with the Approov Cloud Service.
This is done by running the registration tool downloaded from your Approov account with your library. The
registration process generates the same signature for the app as the SDK does at runtime and is used as a basis for
verifying that an attestation request comes from a genuine app.

Once registered with Approov, the app is published as normal. Since Approov checks for changes in
the app’s signature to detect app repackaging, it is important to repeat the registration process every time you release
a new version of the app. Approov supports multiple versions of the app being in circulation. You can remove app
signatures from the Approov service at any time via your account, allowing you to tightly control which versions of the
software can access your API.

Server Integration

Once the SDK has been integrated with your app and tokens are being added to your API request
headers you need to modify your Server code to act upon this extra information.

How your Server side code treats tokens is entirely up to you. Approov gives you the flexibility
to balance your security needs against API accessibility. Regardless of the action taken the token check is straightforward.
Since the Approov token is in JWT format it can be interpreted using libraries available for the vast majority of server
platforms and languages. All that is required is to test that the token is signed with the secret string provided with
your Approov account.